OUTPUT MODES SPECIFY TIME RANGES 


JOURNALCTL CHEAT SHEET 
(DFIR EDITION) aa 50: BNO -S, --since 
Syslog-style output w/o extra header -U, --until 
Hal Pomeranz -q -o short-iso --utc Search after/before specified time 
Se aclgs : ne Better timestamp, force UTC output Sample time specifiers: 
v1.0. 
-o json -S 2024-08-07 09:30:00 
-S 2024-07-24 
Single line JSON, for script processin 
BEFORE YOU START . oe -U yesterday 
-o json-pretty -U “15 minutes ago” 
EXPOES, SYS TEND EPAGERS Multi-line JSON for readability ee 
Set SYSTEMD_ PAGER to null so that -S 2024-07-24 -U yesterday 


output lines wrap instead of scrolling. SIMPLE SEARCH CRITERIA 
journalctl -D /path/to/directory --facility=name OTHER FIELDS 


journalctl --file=somefile S Aeueusiae aie : 
Journal logs are normally found under coe ere nae journalctl -N 


/var/log/journal/MACHINE_ID -u name.service List all field names found in journal 
Use the -D switch to specify an 


Search by Systemd unit name i x i 
alternate directory, or --file to eae Jourhaheeh, =h Ftete 
select individual files -t identifier List all values found for given field 
journalctl --header Match SYSLOG_IDENTIFIER field journalctl FIELD=vaLlue 
Summarizes information from each -g regex Match entries where named FIELD 


journal file. Includes first/last dates, equals chosen vaLue 


boot number, number of objects, etc. 


EXAMPLE COMMANDS 


PCRE match against log message text 


journalctl -q -o short --facility=authpriv journalctl -q -o short-monotonic --dmesg 
Recreate /var/log/auth. log Recreates traditional dmesg output 
journalctl -q -o short-iso -u ssh -g Accepted journalctl -q -o short-iso -t sudo -g COMMAND= -r 
Who is logging in with SSH and from where? Pull interesting Sudo-related messages, most recent first (-1r) 
journalctl -q -o short-iso _UID=1000 journalctl -q -o short-iso -f 


Find messages related to a given user ID On live system, show continuous logs (like tail -#), Ctrl-C aborts 


